download:	/cmdsoftworks/solara/-/raw/main/Files/Bootstrapper.exe
Full analysis:	https://app.any.run/tasks/bbb74a37-cf78-4d4d-8e54-0b73c1c99047
Verdict:	Malicious activity
Analysis date:	July 25, 2024, 14:48:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	qrcode
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	777228BA067C7F49D22607D3C583F2FD
SHA1:	5D69B4418290F2332C480F15707F14A3BB82D41E
SHA256:	2532B436D5E8CD8D04F3774159FC6EFB7A5409A655BDCAC3E58183A69BBE3D5D
SSDEEP:	24576:YKBc1g9OUmrwTwOoauhhD4l5f6CMF8SoTOxZ7FDmB:YIc1g9OUkEoauhhUl5f6CMF8SoTOx7mB

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:25 14:25:03+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	814080
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0xc8b4e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows command line
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	SolaraBootstrapper
FileVersion:	1.0.0.0
InternalName:	SolaraBootstrapper.exe
LegalCopyright:	Copyright © 2024
LegalTrademarks:	-
OriginalFileName:	SolaraBootstrapper.exe
ProductName:	SolaraBootstrapper
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4248) Bootstrapper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Bootstrapper_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
1252	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
1252	msiexec.exe	C:\Windows\Installer\efb92.msi		—
		MD5:—	SHA256:—
3304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		binary
		MD5:098175DE357C9073BF168F9FF9C779F3	SHA256:6656DDF7891FC3F2F95E5A061BCDEF1DB56DA5B187A68818146AD71BEAEB1033
3304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CEA48AEE703922244E2530F7A011BBC6		der
		MD5:147FD66145D430412343F6D549909B22	SHA256:766A50A02E8D87BB56D368F7790818243F8811FC835D3C73CF0E9FE21643D736
3304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5		der
		MD5:A580051B0422366982ABE7E72E3CBAC9	SHA256:DF5F83541A14612232D5FB85F494D1B69F944394F816C5BB92BDFFC87AC33A61
1252	msiexec.exe	C:\Program Files\nodejs\corepack.cmd		text
		MD5:C046E14548EBB384EF71C0EFEA0E857A	SHA256:920630A1D1EC47AEDEA7345E3C868ECDC07E191373497BBF47FBBF5942FBAD4F
1252	msiexec.exe	C:\Windows\Installer\MSI1E42.tmp		executable
		MD5:A3AE5D86ECF38DB9427359EA37A5F646	SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
1252	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:3F47A2BD79D37E6FD58A3D94DCC095B4	SHA256:F888C9CA5F08B790C9B6894871860D70C4E0A5468A939FA4CB28F4D2EF8DEEC8
1252	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{3bc7a57a-ad56-447e-a4c4-b76183e99678}_OnDiskSnapshotProp		binary
		MD5:86BD46B2D1466D496D957983A32E9516	SHA256:75A033B89D9A92F8007EA2F751121E93AFD4225F16478BF16E2FF3C05CE68E70
1252	msiexec.exe	C:\Windows\Temp\~DF540D139A0AE07DE0.TMP		binary
		MD5:3F47A2BD79D37E6FD58A3D94DCC095B4	SHA256:F888C9CA5F08B790C9B6894871860D70C4E0A5468A939FA4CB28F4D2EF8DEEC8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	104.18.34.164:443	https://gitlab.com/cmdsoftworks/solara/-/raw/main/Files/endpoint	unknown	—	—	—
3304	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAOO2y%2FG5AVzGnYPFRYUTIU%3D	unknown	—	—	whitelisted
3304	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	unknown	—	—	whitelisted
—	—	GET	304	20.114.59.183:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	104.18.34.164:443	https://gitlab.com/cmdsoftworks/solara/-/raw/main/Files/endpoint	unknown	binary	525 b	—
—	—	GET	301	172.64.153.92:443	https://gitlab.com/cmdsoftworks/Solara/-/raw/main/Files/endpoint	unknown	html	130 b	—
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	—
—	—	GET	301	172.64.153.92:443	https://gitlab.com/cmdsoftworks/Solara/-/raw/main/Files/endpoint	unknown	html	130 b	—
—	—	GET	301	172.64.153.92:443	https://gitlab.com/cmdsoftworks/Solara/-/raw/main/Files/endpoint	unknown	html	130 b	—
—	—	POST	204	2.16.110.121:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4204	svchost.exe	4.209.33.156:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	239.255.255.250:1900	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3908	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6132	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4248	Bootstrapper.exe	172.65.251.78:443	gitlab.com	CLOUDFLARENET	US	unknown
1388	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
google.com	142.250.186.110	whitelisted
gitlab.com	172.65.251.78	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
self.events.data.microsoft.com	20.42.65.89	whitelisted
www.bing.com	2.16.110.123 2.16.110.121 2.16.110.171	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted

General Info

/cmdsoftworks/solara/-/raw/main/Files/Bootstrapper.exe

777228BA067C7F49D22607D3C583F2FD

5D69B4418290F2332C480F15707F14A3BB82D41E

2532B436D5E8CD8D04F3774159FC6EFB7A5409A655BDCAC3E58183A69BBE3D5D

24576:YKBc1g9OUmrwTwOoauhhD4l5f6CMF8SoTOxZ7FDmB:YIc1g9OUkEoauhhUl5f6CMF8SoTOx7mB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executes as Windows Service

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

INFO

Checks supported languages

Reads the software policy settings

Manual execution by a user

Checks proxy server information

Reads the machine GUID from the registry

Disables trace logs

Reads the computer name

Reads Environment values

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Drops the executable file immediately after the start

Application launched itself

Executable content was dropped or overwritten

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings